Ah, so finally I designed my disassembler object-oritented style. so much was done and still there is so much to do... but here is what I have so far, after deleting a few hundreds lines of comments with hundreds remaining, I should really clean up the source...

Updates:

v1.3:
-Assembler almost done - need to cleanup and support ModRM.
-Fixed some bugs in assembler, disassembler and opcodes list.

What is soon to come (segments a little buggy):

v1.3b:
-Added full 16-bit support.
-Added full support for 3 operands instructions.
-Added all integer and string instructions.
-Added support for all prefixes, expect address-override which seems useless.
-Fixed all known bugs.
-Fixed some bad instructions that caused bugs.
-Better OOP with encapsulation and more efficient and safe.
-Cleaned some of the code and added some documentation.
-The assembler looks promising.
-Using .NET 3.5 again, but supports (slow) .NET 2.0. (recompile if you want)

Will be released soon.

v1.2:
-Added (almost full) 16-bit support.
-Added some more instructions.
-Added support for 3 operands instructions.
-Added support for all prefixes, expect address-override.
-Fixed some bugs.
-Cleaned some of the code.
-NOW IN COLOR!

Spoiler of what is soon to come (beginning of...):

v1.1:
Still a little messy as before, tons of code in comments and classes with no encapsulation because I wanted to try some stuff quickly and forgot about them...
No major changes, BUT - fixed a lot of bugs, handles some prefixes and instructions that doesn't exist or wasn't found (opcode list still lacking a few instructions...) doesn't mess up the diasssembler.
Nicer output, instructions and operands contain Text property that represents the instructions. to be efficient (when reading thousands of bytes, even though that's still nothing for a computer ;o) it is only created when accessed for the first time, until then it is null. this way you can disassemble a lot and access the Text property only to the few dozens needed that fit the screen.

SharpDisassembler v1.4 will be good enough to use as a library.
(current version still needs some bug fixes and support for 64-bit, support in assembler for 16-bit, FPU instructions and some changes in code design)

Support for different addressing modes such as [12345], [EAX+08], [EAX+ECX] and even [EDI+ESI*4+876543210].

Full support for instructions with up to 2 operands.

An Instruction class that represents an instruction.

An Operand class that represents an operand - currently register, immediate value or address.

Images:
For the following input:

Code:

74 12 75 74 66 36 33 15 10 32 54 00 66 2E 69 94 D8 56 34 12 00 05 10

SharpDisassembler's Output (v1.2):

OllyDBG's Output:

How does it work?
After reading some of Intel's manual, I have learned that there is more to the assembly language than meets the eye. writing a disassembler might not require (too much) hard-coding after all! there seems to be a better, smarter and more efficient way to do so.

Instructions have specific encoding rules and each instruction's format is defined in Opcodes.cs.

SignExtent = s, s = 2 - sign extent means that a smaller value will be extended to a larger value. for example, [6A 08] PUSH 08 - the byte 08 will be extended to the double-word 00000008. another way would be to use the instruction [68 08 00 00 00] PUSH 00000008. note: same value as destination (d) field.

Immediate[X] - An immediate (constant) value. this cannot be the first parameter of a two or three operands instruction (except for OUT, damn Intel and their uncalled for exceptions). if a value (X) is specified explicitly, X-bits are used as an operand. otherwise, size is dependant on the rest of the instruction.

Relative[X] - A relative value. this is used for JMPs, for example. JMP instructions specify distance to jump, some disassemblers choose to display the fixed address. the same for X goes as for Immediate values.

How To:
A static class called "Disassembler" (hopefuly with the ability to assemble too, soon) has a method named "Disassemble" that accepts byte array and an instruction pointer (address of the first byte) which is currently not used (and might not be used at all, eventually - depending on future design) and returns an array of Instruction objects. pretty simple.

A sample project with it's source code and the library's source code is included in the download.

TODO List:

Full support for JMPs and CALLs (relative values, 48-bit addresses, etc...)

Support prefixes.

Support 16-and 64-bit instructions.

Full support for 3 operands instructions.

Design OOP better.

Improve disassembler efficiency and information provided.

Handle certain exceptional instructions (most are specified as comments in the code).

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum